Information Security Management System (ISMS)
The fully-fledged ISMS for certification according to IT-Basic Protection and ISO 27001
Anyone dealing with the topic “information security” will sooner or later come across ISO/IEC 27001, a standard which describes the requirements that an Information Security Management System (ISMS) must fulfil. But what exactly is an ISMS? And furthermore, why is this something that most companies need?
What is an ISMS?
Specific software is often referred to in connection with an ISMS (Information Security Management System). However, an ISMS really has nothing to do with a specific software solution. It is actually a set of rules and processes. This list of rules and processes serves to permanently monitor, control and ensure information security within a company or organisation. It is also important that this information security is continuously improved by the defined rules and processes.
For the documentation of these processes and measures, the implementation can be planned and documented with the “i-doit ISMS” supported tool. In order to do this, for all documented assets you can define persons who, and roles which, are responsible for information security or parts thereof.
For risk assessment, you can use the complete IT-Basic Protection Compendium, which is published by the BSI, including predefined measures and hazards. External catalogues such as ISO27001 are also suitable for this purpose. You can also further supplement these catalogues with your own evaluation criteria, measures and damage scenarios.
ISMS is a top down approach
It should be made clear that information security is a matter for corporate management. For this reason, an ISMS is always introduced according to the top-down approach.
The security guidelines are first drawn up and approved by the company management. The exact elaboration and implementation is usually assigned to specific employees or managers.
In order to select the right executive employees, IT security officers are usually also appointed. As they are firmly integrated into the ISMS process, these IT security officers are of particular importance. They select new IT components in close co-ordination with the IT managers and are the contact persons for all IT security issues. As a rule, an IT security officer reports directly to the company management. Usually they also have their own budgets.
Which advantages does an ISMS offer?
Implementing an ISMS does involve a lot of effort, but this effort is more than justified, because all activities are centred around protecting the all important existing data.
During the ISMS implementation you will design processes and procedures, establish them and create the corresponding documents. This means that your employees will actively deal with the topic of information security. They will also be actively involved in the design process. This active involvement has a decisive advantage. As well as the process-orientated and technical introduction of an ISMS, your employees will develop a special sensitivity for the topic of “security”.
Information security management means much more than only advancing the topic of information security. You will also improve the protection of your data, which is ultimately your company’s capital.
The data that is most important for the “survival” of the company has an especially high level of protection. This also includes personal data, which is exposed to many dangers. While the loss of this data due to technical errors is a problem you could face, it’s the possible theft of the data by third parties that could be particularly dangerous. In most cases, such theft originates from external sources, and not from your company. Nevertheless, an ISMS also takes into account the risk of internal data theft.
Would you like to know more?
Send us a message if you would like to receive more information about the i-doit ISMS. We look forward to your inquiry.
Plan investments better and secure competitive advantage
When planning budgets and investments, there is often a lack of a sound basis on which to make decisions in both a targeted and forward-looking manner. Almost all companies have the same problem: there are more than enough construction sites. So where is best to use our capital? After all, we don’t just want to mend existing holes, we want to position ourselves better than the competition.
Through the data in the ISMS you can immediately see which data and areas are not sufficiently protected. Conversely, this is where your investments currently create the greatest added value. The early recognition of risks and their consequences is always going to be an undeniably good use of your budget. It is not unusual for new risks to be identified in the course of an ISMS implementation. These have usually never been considered in this way before and are now given the highest priority.
A competitive advantage is also a certification according to ISO/IEC 27001. This means that customers are easily able to recognise that information security is implemented according to a recognised standard and therefore will provide a very high level of security. This will give you a clear advantage over your competitors, of being trusted. Furthermore, you can also audit your suppliers at any time. So you can check whether they provide the agreed services and whether the quality of these services is sufficient.
Companies and public authorities issue compliance guidelines when awarding contracts. Your company must comply with these guidelines when it applies for a contract. With an ISMS, you always have the relevant evidence you need to provide to hand and thus can easily meet deadlines.
ISMS and data protection
From a logical point of view, information security and data protection belong together. Data protection officers in particular would agree without reservation with this statement. In fact, however, data protection is not a separate component of an ISMS. Nor does the “data protection” component of the IT-Basic Protection Compendium belong to the formal BSI certification.
In contrast to the other modules of the IT-Basic Protection Compendium, the “data protection” module is based on the legal requirements of data protection law. It is also not included in the ISO27001 standard. Instead, the BSI uses this module to link information security and the requirements of the standard data protection model.
Data protection primarily concerns personal data. This has become particularly clear since the Basic Data Protection Regulation (DSGVO) came into force. Nevertheless, data protection does not get special treatment in an information security management system. Personal data is treated in the ISMS just like all other data.
Nevertheless, data protection officers, whose primary concern is the security and processing of personal data, can breathe a sigh of relief. After all, an ISMS generally serves to protect data and thus also to protect personal data. But people must not confuse data protection management with an ISMS. An information security management system, for its part, needs extensions in order to comply with data protection from a legal and technical point of view.
Standards and norms
The ISO 2700X standards
The organisations ISO and IEC have written a collection of more than 20 standards relevant to information security. These are summarised in the number range 2700X. All these standards describe sub-areas of Information Security Management or IT Security.
Of particular interest for the topic “ISMS” is the standard ISO/IEC 27001, which contains specifications for the implementation, maintenance and continuous improvement of a documented information security management system. This standard also contains requirements for the assessment of security risks. The standard takes into account the special requirements of all types of organisations, from trading companies to non-profit organisations.
In most cases, an ISO27001 certification is recommended for companies. In the course of such a certification, implementation or fulfilment of the requirements of the standard is determined by an external auditor.
The evaluation of the audit report and the granting of the certificate is then carried out by a designated certification body.
A successful certification is advantageous for every company. It enables them to demonstrate the introduction and implementation of an effective ISMS to customers and business partners.
ISO 27005 – IT risk management
While the standard ISO/IEC 27001 deals with the requirements for an ISMS, ISO 27005 describes the complex topics of “risk analysis and management”. The standard provides precise instructions for IT risk analysis. It contains an exact description of the processes to establish an efficient risk analysis within the company. In addition, ISO 27005 also provides a detailed description of the individual process steps.
The focus is on the assessment of risks and how to deal with them. The values of a company are directly or indirectly threatened by various factors. These can be, for example, weaknesses in systems/processes or different types of impacts that can affect the organisation.
In addition to the pure identification of risks, this area naturally also includes the management of measures. In this context, reference is made to ISO 27001 from the annexes of ISO 27005. This link ensures a systematic, documented procedure and continuous improvement of the processes.
The IT-Basic Protection Compendium of the BSI
The Federal Office for Information Security regularly publishes the IT-Basic Protection Compendium. This is an extensive collection of texts, the so-called IT-Basic Protection- Building Block. Each of these building blocks deals with all security-relevant aspects of a specific topic. These topics include, for example, “Organisation and Personnel”, “Applications” and also “ISMS: Security Management. For each of these 10 modules, possible threats as well as important security requirements are listed.
These requirements are subdivided into basic requirements, standard requirements and requirements with increased need for protection. In this way, each company can decide individually which level of protection will be achieved.
Together with the BSI standards, this compendium forms a thematic basis for anyone who would like to deal with information security more intensively. Furthermore, certification according to this IT-Basic Protection Compendium is also possible. For this certification, the latest version of the compendium is always relevant.
BSI standard 100 vs. BSI standard 200
The BSI standards 100-1, 100-2 and 100-3 also deal with the development of an ISMS and risk management. They were published by the Federal Office for Information Security. They serve companies as a guideline and orientation aid to achieve a higher level of protection. The “100 series” was completely replaced in October 2017 by the BSI standards 200-1, 200-2 and 200-3.
The BSI Standard 200-1 (“Management Systems for Information Security”) describes the general requirements for an ISMS. This standard is directly compatible with the ISO/IEC 27001 standard and also takes into account the recommendations and terminology of the ISO standard.
The BSI 200-2 (“IT-Basic Protection Methodology”) forms the basis for the implementation of an ISMS. It contains three proven procedures for the implementation of IT-Basic Protection. For basic protection, the first thing considered is the introduction of an ISMS. Core protection describes a way of covering a smaller part of a larger IT network with an ISMS. The standard protection then provides the description of a complete security process.
The BSI 200-3 standard (“risk management”) bundles all risk-related work steps for the implementation of basic IT protection. This includes the identification of elementary hazards, risk classification and the handling of risks. This standard is recommended for organisations that have already successfully dealt with the IT-Basic Protection methodology. Compared to its predecessor BSI 100-3, this new standard reduces the effort required to achieve a defined level of protection.
Implementation of an ISMS
Identifying protected areas
First of all, you must narrow down the scope of the ISMS. Possible protection areas are:
- the entire organisation
- a part of the organisation
- specific lines of business
- one site
- individual systems.
You need to be clear about the specific areas of protection that your ISMS should and must cover. Consider which information assets you need to protect and which interfaces can be used to access them. Think here about your own employees, customers, suppliers or other companies and service providers. Analyse the processes present here, as they ultimately play a decisive role.
Identifying and evaluating risk
After you have identified the protection aspects, the so-called items, the next step is to determine the risks. You not only have to identify them, but also assess them.
For this purpose you will find possible hazards in the corresponding catalogues. You apply these to the respective assets. In addition to the probability of occurrence, you should also consider which damage scenarios could occur when these hazards happen to the company. These could be, for example, financial damage, detriments to the company’s image or physical damage. You also need to consider the impact on confidentiality, integrity and availability of the assets. Once you have done this, you can very accurately assess the consequences of a security incident for the company.
Measures and responsibilities
For each possible risk you can now select different measures from the catalogue of measures. These can be used, for example, to reduce the probability of occurrence or to reduce the resulting damage.
Employees’ smartphones are often connected to various services in order to access important documents and customer data. A possible risk here would be “the loss of a smartphone”.
If the device is lost, unauthorized persons could access the data. In the worst case scenario, the data could be modified, sold or otherwise misused. The result would be financial and/or image damage.
One measure to reduce the extent of damage would be the possibility of remotely deleting the data on lost smartphones. Another measure would be the rollout of a security policy requiring 6-digit PIN codes on all mobile devices. This would significantly reduce the likelihood of data loss even if the device itself is lost.
Defining the measures is one task. Another is to monitor implementation. This must not be a temporary measure, it must be continuous.
The central element of an ISMS is the creation of processes that ensure regular monitoring of progress. This also includes a continuous improvement of the safety level.
For implementation, it is therefore necessary to nominate persons who are responsible for the implementation of the respective measures. According to the classic PDCA cycle ( Plan – Do – Check – Act ), the progress of the implementation of these measures is thus measured. In this way a continuous improvement of the ISMS is achieved.
The i-doit ISMS
For the implementation of an ISMS:
- responsibilities must be defined
- risks need to be identified
- preventive and corrective measures should be identified
- new processes must be created
- the progress is documented
The larger your company is, the more records you need to keep. The i-doit ISMS supports you in implementing an Information Security Management System, and this system enables you to keep this ISMS centrally available.
Whether you want to improve your company’s position in the future or achieve ISO27001 certification, our ISMS provides you with significant support in both preparation and implementation.
For all assets of your company you can:
- view risks
- determine internal and external (elementary) hazards
- implement preventative and corrective measures
These functions enable you to map and organise your entire risk management.
With the ISMS you receive the necessary catalogues of the BSI (IT-Basic Protection Compendium) as well as the ISO27001 and B3S. This completely eliminates the tedious creation of threats, weak points, dangers and measures.
Status and reporting of the implementation
The implementation of an ISMS involves a significant effort, which should not be underestimated. Recognising dangers and taking measures to counter them are important components. But the progress of the entire project and the implementation of the measures taken must also be traceable.
Our solution offers comprehensive documentation and reporting for each asset. In addition to the measures taken, this can include:
- persons in charge
- the progress of implementation
- evaluating the risk assessment according to group membership
The risk analysis of individual locations within a client is also supported.
Management and export of reports and documents
All assets can be processed centrally by different users. To do this, you can simply create users or connect your directory service such as Active Directory. You can seamlessly integrate your existing security groups and enable a precise configuration of access rights to the respective subject areas and assets. If required, you can compile all information in PDF documents or export them as Excel reports.
The advantages of the i-doit ISMS:
The i-doit ISMS is a complete management suite for information security
according to ISO 27001 and basic IT protection of the German Federal Office for Information Security (BSI)
Structured development of an information security standard
A sound information base for investments
Continuous improvement of information security
Infrastructure risks are significantly reduced
Risks are managed
Improved co-ordination between departments and employees
Availability of systems and services will be improved in the long term
Intensive preparation for the defence against cyber attacks
Competitive advantage through a certified standard of information security
Reliable action for departments and employees in the event of system faults and IT emergencies
Would you like to know more?
Send us a message if you would like to receive more information about the i-doit ISMS. We look forward to your inquiry.
How to build a working CMDB
How to implement your CMDB project